lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 30 Aug 2018 12:40:53 +0200 (CEST)
From:   Thomas Gleixner <tglx@...utronix.de>
To:     Dave Hansen <dave.hansen@...el.com>
cc:     Sean Christopherson <sean.j.christopherson@...el.com>,
        linux-kernel@...r.kernel.org, Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org
Subject: Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as
 a bad area

On Tue, 7 Aug 2018, Dave Hansen wrote:
> On 08/07/2018 10:29 AM, Sean Christopherson wrote:
> >  	if (unlikely(fault_in_kernel_space(address))) {
> > +		/*
> > +		 * We should never encounter a protection keys fault on a
> > +		 * kernel address as kernel address are always mapped with
> > +		 * _PAGE_USER=0, i.e. PKRU isn't enforced.
> > +		 */
> > +		if (WARN_ON_ONCE(error_code & X86_PF_PK))
> > +			goto bad_kernel_address;
> 
> I just realized one more thing: the vsyscall page can bite us here.
> It's at a fault_in_kernel_space() address and we *can* trigger a pkey
> fault on it if we jump to an instruction that reads from a
> pkey-protected area.
> 
> We can make a gadget out of unaligned vsyscall instructions that does
> that.  See:
> 
> 0xffffffffff600002:  shlb   $0x0,0x0(%rax)
> 
> Then, we turn off access to all pkeys, including pkey-0, then jump to
> the unaligned vsyscall instruction, which reads %rax, which is a kernel
> address:
> 
>         asm("movl $0xffffffff, %eax;\
>              movl $0x00000000, %ecx;\
>              movl $0x00000000, %edx;\
>              wrpkru;\
>              movq $0xffffffffff600000, %rax;\
>              movq $0xffffffffff600002, %rbx;\
>              jmpq *%rbx;");
> 
> So, my bad.  It was not a good suggestion to do a WARN_ON().  But, the
> other funny thing is I would have expected spurious_fault() to get us
> into a fault loop, which it doesn't.  It's definitely getting *called*
> with my little test program (I see it in ftrace) but it's not quite
> doing what I expect.
> 
> I need to dig a bit more.

Given the time span you should be close to ground water with your digging
by now.

Thanks,

	tglx

Powered by blists - more mailing lists